Closed Bug 289800 Opened 20 years ago Closed 20 years ago

mistyped https URL redirects to Paypal.com

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 289793

People

(Reporter: iang, Assigned: dveditz)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050406 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050406 Firefox/1.0.2

This looks like #231720 but done with HTTPS.  If any domain is mistyped with
https the redirect goes to Paypal.  This breaches the security model of HTTPS; 
the browser should not make any adjustments arbitrarily to the URL typed in to
URL bar, and should in some way show that a redirect has happened if HTTPS is
involved and certificates are being expected to be checked.

https::/blahblah.com/  Or any other correct domain in an invalid URL.

As it was discovered by payments people (Gordon Katz of KatzGlobal.com), and as
everyone in that world is panicing about phishing, I think this could be major.

It currently it appears mostly embarrassing rather than exploitable.  I can't
quite see how to exploit it but phishers are more persistent than I.

At the minimum, the google "I'm feeling lucky" feature ... if that is what it is
... should be turned off for https.  Actually, I'd rather the Lucky feature
should be turned off altogether or made into a separate thing like lucky:"search
string" as until the UI is improved (a la Gervase, HJ/, trustbar) to do
user-engaged security, there is way too much emphasis on that URL bar to be
worthy of confidence so any "tricks" should be kept to a minimum.

Reproducible: Always

Steps to Reproduce:
1. type in https::/some domain/
2. hit return
3. see Paypal.com, connected with https

Actual Results:  
Get silently redirected to http://Paypal.com/

Expected Results:  
Indicated that the URL was invalid and that the user should examine it and fix
the typing.

This is a security bug.  It doesn't need to be kept confidential.

*** This bug has been marked as a duplicate of 289793 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You can always reopen the original bug - no need to try to file it again.
You need to log in before you can comment on or make changes to this bug.